sign in sign up
<<
Home , Open source, Open Source Initiative, Source code

Open

NIST S 6106.01 Issue Date: 12/06/2018 Effective Date: 12/06/2018

PURPOSE The purpose of this directive is to define requirements for promoting code reuse by making custom-developed Federal source code broadly available across the National Institute of Standards and Technology (NIST) in support of NIST programs.

APPLICABILITY This directive applies to all projects within NIST that commission development of custom software that will be used in a production capacity (i.e., intended to support a collection of users outside the developer’s immediate organization), except for software covered under Section 6 of Office of Management and Budget (OMB) Memorandum M-16-21. The requirements outlined herein do not apply retroactively (i.e., they do not require that existing custom-developed code be retroactively made available for Government-wide reuse or as software.

REFERENCES • National Defense Authorization Act 2015 (FITARA) (Title VIII, Subtitle D. H.. 3979); • Clinger Cohen Act 1996, (USC Title 40 Chapter 113 11301-11303); • Office of Management and Budget, Memorandum 15-14: Management and Oversight of Federal Information Technology; • Office of Management and Budget, Memorandum16-21: Federal Source Code Policy: Achieving Efficiency, , and Innovation through Reusable and Open Source Software; This directive is supplemental to a suite of security controls consisting of: • Department of Commerce, Information Technology Security Program Policy (ITSPP); • Department of Commerce, Commerce Information Technology Requirements (CITRs); • Department of Commerce, Source Code Policy; • NIST, Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, System and Services Acquisition (SA) Family; and • NIST, Information Security Directives.

NIST Suborder 6106.01 Ver. 1 (Uncontrolled Copy in Print) Page 1 DEFINITIONS Custom-Developed Code1 – Custom-developed code is code that is first produced in the performance of a Federal contract or is otherwise fully funded by the Federal Government, including code, or segregable portions of code, for which the Government could obtain unlimited rights under Federal Acquisition Regulations (FAR) Pt. 27 and relevant agency FAR Supplements. Custom-developed code also includes code developed by agency employees as part of their official duties. For the purposes of this policy, custom-developed code may include, but is not limited to, code written for software projects, modules, plugins, scripts, middleware, and APIs; it does not, however, include code that is truly exploratory or disposable in nature, such as that written by a developer experimenting with a new language or . Open Source Software (OSS) – Software that can be accessed, used, modified, and shared by anyone. OSS is often distributed under that comply with the definition of "Open Source" provided by the and/or that meet the definition of "" provided by the . Source Code – Computer commands written in a computer that is meant to be read by people. Generally, source code is a higher-level representation of computer commands as they are written by people and, therefore, must be assembled, interpreted, or compiled before a computer can execute the code as a program.

REQUIREMENTS 1. An appropriate alternatives analysis will be conducted, incorporating the Three-Step Software Solutions Analysis in the alternatives analysis process, as defined in section 3 of OMB M-16-21. 2. At least 20 percent of newly commissioned custom-developed code will be released as OSS. 3. Newly commissioned custom-developed code which is OSS must be registered in the Department of Commerce (DOC) Software Code Inventory. 4. Newly commissioned custom-developed code must include documentation that describes the function, input and output of the module, and any other information relevant to its reuse. 5. Sufficient rights to newly commissioned custom-developed code to fulfill both the Government-wide reuse objectives and the open source release objectives will be obtained. 6. OSS will not automatically be treated as noncommercial software.

1 As defined in Department of Commerce Source Code Policy.

NIST Suborder 6106.01 Ver 1.0 (Uncontrolled Copy in Print) Page 2 7. Exceptions to the requirement defined in this directive may be granted if the following exemption criteria are met: a. The sharing of the source code is restricted by law or regulation, including but not limited to patent or law, the Export Asset Regulations, the International Traffic in Arms Regulation, and the Federal laws and regulations governing classified information; or b. The sharing of the source code would create identifiable risk to the detriment of national security, confidentiality of Government information, or individual privacy; or . The sharing of the source code would create an identifiable risk to the stability, security, or integrity of NIST’s systems or personnel; or d. The sharing of the source code would create an identifiable risk to NIST’s mission, programs, or operations; or e. The NIST Chief Information Officer (CIO) believes it is in the national interest to exempt sharing the source code. 8. Exception requests must explain why compliance is unachievable and must be approved in writing by the NIST CIO.

ROLES AND RESPONSIBILITES Office of the Director • Ensure compliance with the directive across the entire organization. NIST Chief Information Officer • Collect statistics on compliance with this directive annually. • Review and approve exemptions from this directive. Office of Information Systems Management • Assist in the determination of what code is reusable. • Ensure all custom OSS is registered in the DOC Software Code Inventory. • Manage this directive to ensure alignment with Federal and DOC policies.

DIRECTIVE OWNER 18 - Office of Information Systems Management

APPENDICES A. Revision History

NIST Suborder 6106.01 Ver 1.0 (Uncontrolled Copy in Print) Page 3 Appendix A

REVISION HISTORY

Revision Date Responsible Person Description of Change 11/20/2018 Islelly Castillo Initial Version (OISM)

Rev. .01

NIST Suborder 6106.01 Ver 1.0 (Uncontrolled Copy in Print) Page 4